commit: 1dea46140374ccd2b67ed5daf6563e5917df519c Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Wed Oct 13 22:44:14 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1dea4614
wine: use user exec domain attribute Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/apps/wine.if | 58 +++++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 25e09d6e..2050167d 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -4,18 +4,29 @@ ## <summary> ## Role access for wine. ## </summary> -## <param name="role"> +## <param name="role_prefix"> ## <summary> -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## </summary> ## </param> -## <param name="domain"> +## <param name="user_domain"> ## <summary> ## User domain for the role. ## </summary> ## </param> +## <param name="user_exec_domain"> +## <summary> +## User exec domain for execute and transition access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> # -interface(`wine_role',` +template(`wine_role',` gen_require(` attribute_role wine_roles; type wine_exec_t, wine_t, wine_tmp_t; @@ -24,18 +35,18 @@ interface(`wine_role',` roleattribute $1 wine_roles; - domtrans_pattern($2, wine_exec_t, wine_t) + domtrans_pattern($3, wine_exec_t, wine_t) - allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; + allow wine_t $3:unix_stream_socket connectto; + allow wine_t $3:process signull; - ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; + ps_process_pattern($3, wine_t) + allow $3 wine_t:process { ptrace signal_perms }; - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; - allow $2 wine_t:unix_stream_socket connectto; + allow $3 wine_t:fd use; + allow $3 wine_t:shm { associate getattr }; + allow $3 wine_t:shm rw_shm_perms; + allow $3 wine_t:unix_stream_socket connectto; allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; @@ -55,18 +66,23 @@ interface(`wine_role',` ## </desc> ## <param name="role_prefix"> ## <summary> -## The prefix of the user domain (e.g., user -## is the prefix for user_t). +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## </summary> ## </param> -## <param name="user_role"> +## <param name="user_domain"> ## <summary> -## The role associated with the user domain. +## User domain for the role. ## </summary> ## </param> -## <param name="user_domain"> +## <param name="user_exec_domain"> +## <summary> +## User exec domain for execute and transition access. +## </summary> +## </param> +## <param name="role"> ## <summary> -## The type of the user domain. +## Role allowed access ## </summary> ## </param> # @@ -86,7 +102,7 @@ template(`wine_role_template',` domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $3) + corecmd_bin_domtrans($1_wine_t, $2) userdom_manage_user_tmpfs_files($1_wine_t) @@ -97,7 +113,7 @@ template(`wine_role_template',` ') optional_policy(` - xserver_role($1, $1_wine_t, $1_application_exec_domain, $1_r) + xserver_role($1, $1_wine_t, $3, $4) ') ')