commit: 0bd77a1d1e383ea906b88a8cd206554ccb4256d0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:07 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0bd77a1d
xdg: Add map perms, also make lnk_file, dirs consistent
policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 2fd2e34d..45d73f15 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,7 +63,6 @@ interface(`xdg_data_content',`
userdom_user_home_content($1)
')
-
########################################
## <summary>
## Read the xdg cache home files
@@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
')
read_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+ read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
userdom_search_user_home_dirs($1)
')
@@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
')
read_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
+ list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+ read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
userdom_search_user_home_dirs($1)
')
@@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`
manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
+ allow $1 xdg_cache_t:file map;
manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
@@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`
manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
+ allow $1 xdg_cache_type:file map;
manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
@@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
')
read_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
list_dirs_pattern($1, xdg_config_t, xdg_config_t)
+ read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
userdom_search_user_home_dirs($1)
')
@@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
')
read_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
+ list_dirs_pattern($1, xdg_config_type, xdg_config_type)
+ read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
userdom_search_user_home_dirs($1)
')
@@ -454,6 +465,7 @@ interface(`xdg_manage_config',`
manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
manage_files_pattern($1, xdg_config_t, xdg_config_t)
+ allow $1 xdg_config_t:file map;
manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
@@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`
manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
manage_files_pattern($1, xdg_config_type, xdg_config_type)
+ allow $1 xdg_config_type:file map;
manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
@@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
')
read_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
list_dirs_pattern($1, xdg_data_t, xdg_data_t)
+ read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
userdom_search_user_home_dirs($1)
')
@@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
')
read_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
+ list_dirs_pattern($1, xdg_data_type, xdg_data_type)
+ read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
userdom_search_user_home_dirs($1)
')
@@ -678,6 +696,7 @@ interface(`xdg_manage_data',`
manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
manage_files_pattern($1, xdg_data_t, xdg_data_t)
+ allow $1 xdg_data_t:file map;
manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
@@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`
manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
manage_files_pattern($1, xdg_data_type, xdg_data_type)
+ allow $1 xdg_data_type:file map;
manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
@@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`
manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+ allow $1 xdg_documents_t:file map;
+ manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
')
########################################
@@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
')
read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
')
create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
')
write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
@@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`
manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+ allow $1 xdg_downloads_t:file map;
+ manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
')
########################################
@@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
')
read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
userdom_search_user_home_dirs($1)
')
@@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`
manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+ allow $1 xdg_pictures_t:file map;
+ manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
')
########################################
@@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
')
read_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+ read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
userdom_search_user_home_dirs($1)
')
@@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`
manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
manage_files_pattern($1, xdg_music_t, xdg_music_t)
+ allow $1 xdg_music_t:file map;
+ manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
')
########################################
@@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
')
read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+ read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
userdom_search_user_home_dirs($1)
')
@@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`
manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+ allow $1 xdg_videos_t:file map;
+ manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
')
########################################
